Support for pkcs12 certificates with aes256cbc as pbe algorithm

[underscoredje]

Issue Description

New systems with opensslv3 seems to use the following algorithm to generate pkcs12 certificates:

• hmac: sha256
• pbe: aes256cbc

When using these certificates to sign documents, it raises the error Error: Failed to get private key bags.

My tests show the issue comes from the pbe aes256cbc alogrithm

Steps to Reproduce

• Generate a pkcs12 certificate file with aes-256-cbc.
  It should be the default setting with opensslv3
  Otherwise we can generate it with the following command: openssl pkcs12 -export -out cert-aes256cbc.p12 -inkey private.key -in certificate.crt -keypbe aes-256-cbc -certpbe aes-256-cbc

• Then use it with documenso to sign documents

Expected Behavior

• Documents to be signed without error

Current Behavior

• Signing document step hangs
• Logs show the following:

2024-04-08T10:06:25.248226950Z Error: Failed to get private key bags
2024-04-08T10:06:25.248401860Z     at D (/app/apps/web/.next/server/chunks/8690.js:1:353526)
2024-04-08T10:06:25.248412583Z     at async D (/app/apps/web/.next/server/chunks/8690.js:1:351623)
2024-04-08T10:06:25.248418676Z     at async i (/app/apps/web/.next/server/chunks/8690.js:1:5527)
2024-04-08T10:06:25.248424797Z     at async h (/app/apps/web/.next/server/pages/api/trpc/[trpc].js:1:39385)
2024-04-08T10:06:25.248430176Z     at async /app/apps/web/.next/server/pages/api/trpc/[trpc].js:1:109200
2024-04-08T10:06:25.248435549Z     at async resolveMiddleware (file:///app/node_modules/@trpc/server/dist/index.mjs:420:30)
2024-04-08T10:06:25.248454457Z     at async callRecursive (file:///app/node_modules/@trpc/server/dist/index.mjs:456:32)
2024-04-08T10:06:25.248460568Z     at async callRecursive (file:///app/node_modules/@trpc/server/dist/index.mjs:456:32)
2024-04-08T10:06:25.248466117Z     at async resolve (file:///app/node_modules/@trpc/server/dist/index.mjs:486:24)
2024-04-08T10:06:25.248471477Z     at async inputToProcedureCall (file:///app/node_modules/@trpc/server/dist/resolveHTTPResponse-cd1a9112.mjs:46:22) {
2024-04-08T10:06:25.248477094Z   code: 'GenericFailure'
2024-04-08T10:06:25.248482380Z }

• Documents dashboard show a "completed" status, but docuements remain unsigned.

Screenshots (optional)

No response

Operating System [e.g., Windows 10]

docker

Browser [e.g., Chrome, Firefox]

No response

Version [e.g., 2.0.1]

1.5.3 and 1.5.4-rc.3

Please check the boxes that apply to this issue report.

• I have searched the existing issues to make sure this is not a duplicate.
• I have provided steps to reproduce the issue.
• I have included relevant environment information.
• I have included any relevant screenshots.
• I understand that this is a voluntary contribution and that there is no guarantee of resolution.
• I want to work on creating a PR for this issue if approved

[github-actions]

Thank you for opening your first issue and for being a part of the open signing revolution!

One of our team members will review it and get back to you as soon as it possible 💚

Meanwhile, please feel free to hop into our community in Discord

[megavillain]

I was also getting this error and was able to work around it by creating my p12 with the -legacy option

openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem -legacy

[ElTimuro]

@underscoredje did you follow this https://github.com/documenso/documenso/blob/main/SIGNING.md while arriving at this error?

[underscoredje]

@ElTimuro : Yes, I use this command.

• On RHEL9 / fedora 39, generated certificate will use aes256cbc for pbe algorithm by default which it don´t work with documenso.
  I suppose it will the same with modern distro using openssl v3.
  I also have a Sectigo's generated cert using this pbe algorithm and not working with documenso.

• On centos7 (openssl v1), the generated cert works with documenso, as it doesn´t use aes256cbc algorithm by default (but rc2-40-cbc, I guess).
  We can use -keypbe aes-256-cbc -certpbe aes-256-cbc here to force using aes256cbc and reproduce the issue.

[ElTimuro]

@ElTimuro : Yes, I use this command.

• On RHEL9 / fedora 39, generated certificate will use aes256cbc for pbe algorithm by default which it don´t work with documenso.
  I suppose it will be the same with modern distro using openssl v3.
  I also have a Sectigo's generated cert using this pbe algorithm and not working with documenso.
• On centos7 (openssl v1), the generated cert works with documenso, as it doesn´t use aes256cbc algorithm by default (but rc2-40-cbc, I guess).
  We can use -keypbe aes-256-cbc -certpbe aes-256-cbc here to force using aes256cbc and reproduce the issue.

• Got it.
• Could you verify this works? "openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem -legacy"
• I would add a hint in the SIGNING.md until we update the signing library use to the new algorithm

[underscoredje]

Yes, -legacy argument works on RHEL9.